Yesterday in a colaborative effort, we sent a true 0-day sample of the 2nd generation WMF exploit to virustotal. As expected, no detections were made. The payload in that sample was a very basic, commonly known and available payload. So the payload might get detected without the exploit being detected. But even there, we had no such luck then.
We sent in a similar sample today.
The results are not all that good:
eTrust-Vet 126.96.36.199 01.01.2006 Win32/Worfo
McAfee 4664 01.01.2006 Exploit-WMF
Symantec 8.0 01.01.2006 Backdoor.Trojan
All the others failed to detect the sample.
Do note that the Symantec detect is most likely on the payload. That payload isn't what any of the bad guys playing with this will insert. They will insert far nastier and far less off-the-shelf stuff than what we did.
So for now you still have the best chance with following the advice in this diary entry.
Jan 1st 2006
1 decade ago